The CIO 14 years later: Power vs. paperwork

Fourteen years after Clinger-Cohen established the job, CIOs still struggle for real control.

Two years ago, shortly after Commerce Department officials confessed to Congress that a $595 million project for using handheld computers in the 2010 census would not be ready because of significant schedule, performance and cost issues, one observer opined in a trade journal: Where was the Census Bureau chief information officer while this train was derailing?

The answer: He was busy tending to the bureau's networks, servers and office computers, much as he was asked to do. In fact, the bureau's CIO's job description and assignments did not include being on the handheld management team, even though it was one of the agency's most significant information technology projects ever.

Census leaders are now working to correct that disconnect. The bureau’s new associate director for IT and CIO is Brian McGrath, and he said things have changed. His spot on the 2020 Decennial Leadership Group, plus a plan to centralize more IT efforts, will give him much more say as Census leaders envision and develop the technology systems used for future population counts and other bureau activities.


In this report

So you want to be a CIO?

The CIOs' growing workload


“We’re being given the opportunity to be involved in programs and projects in the formative stage,” McGrath said.

This is the way it was supposed to be. The IT Management Reform Act of 1996, later renamed the Clinger-Cohen Act for its chief sponsors, former Rep. William Clinger (R-Pa.) and former Sen. William Cohen (R-Maine), created the CIO position in government agencies and intended for those who hold the jobs to have pivotal positions and influence over how agencies buy and use IT.

Fourteen years later, many say the government CIO role is still very much a work in progress, and the original intentions of Clinger-Cohen, while moving toward that target, are not nearly fulfilled.

But if ever there were a need for a strong, plugged-in CIO, it is now. The speed of new technology washing over government has accelerated drastically since 1996, all begging for a CIO’s studied attention and singular focus.

IT is seeping into every corner of government, including powering an agency’s telephones and building-security systems, serving the public and supporting agency operations, and increasingly enabling — at the very bones of democracy — greater interaction between government and the governed. IT is also at the nexus of many hot-button issues, from government transparency to environmental sustainability.

“The work on our plate has grown,” said Casey Coleman, the General Services Administration's CIO.

Unfortunately, big-ticket IT programs still run amok far too often, punctuated by slip-ups with consequences that dwarf their simple circumstances and reveal the high costs of mismanagement. For instance, in 2006, a Veterans Affairs Department employee lost a laptop computer loaded with millions of veterans’ unsecured personal records. VA had to pay $20 million last year to settle the class-action lawsuit that followed.

In response to that incident and threats from Congress to do something before it does, VA leaders launched a plan to drastically recast the department’s IT organization. Atop the newly centralized IT office now sits a CIO with complete authority over the department’s entire $3.3 billion IT appropriation, power that he hasn’t been shy to use.

“That is so many orders of magnitude of change from the standard department CIO role that it’s really difficult to express,” said Roger Baker, VA’s assistant secretary for information and technology and CIO. Baker also was the Commerce Department's CIO from 1998 to 2001.

However, VA doesn’t have a lot of company around government in this highly empowered-CIO approach. So why is it taking so long for federal CIOs to do the job they were supposed to do? Why aren’t more agencies leaning on their CIOs to choose technologies wisely and manage IT projects effectively?

Present and past government CIOs say there are several reasons. For one, before the new-desk smell could even wear off in their freshly decorated offices, CIOs became burdened with a growing set of compliance paperwork and reports. The obligations are well intended, such as bolstering cybersecurity and rooting out waste and mismanagement from IT programs. But they have required CIOs and their staffs to perform a constant juggling act.

CIO authority has also been checked time and again by calcified and often decentralized agency cultures that resist ceding power. Many CIOs lack the access to or credibility with agency officials necessary to play a more influential role. Finally, it has simply taken a lot of time for agencies to stand up and mature the capital planning and project management techniques that are critical tools of CIO power and effectiveness.

Progress is being made on all those fronts, but it’s taking much longer than expected.

Welcome to the Government

The seeds of the CIO position were planted in the early 1990s as businesses realized that they could use IT to do more than just speed existing paper-based routines or wring inefficiency from traditional operations. They could fundamentally change — or re-engineer, as the buzzword of the day went — their work processes and organizational structures using IT as a catalyst and enabler.

This increasingly important role for IT, measured both by its growing presence and the big money spent on it, meant that an organization’s top technology managers needed to complement their expertise with a better, more in-depth understanding of the business side of the house.

In the public sector, proponents for creating the CIO position in government were motivated as much by the desire to seize new opportunities as they were to improve the government’s famously inconsistent track record on managing large-scale, expensive IT projects.

The government CIOs envisioned by the Clinger-Cohen Act would serve as strategic advisers to agency leaders and apply the IT investment controls and planning and project management tools that the private sector was successfully using.

However, many of those in the initial crop of CIOs that agencies selected to meet the new law were expeditious choices, competent government careerists but not instant power brokers or partners with top agency executives.

“A lot of the departments and agencies just took the director in charge of automatic data processing operations and gave them the title of chief information officer to be in compliance with the new directives,” said Karen Evans, administrator for electronic government and IT at the Office of Management and Budget from 2003 to 2009.

The CIO office quickly became the focal point for a growing workload of regulations and compliance exercises that arose whenever IT or information management issues were involved. Some, as part of Clinger-Cohen, were there from the start, such as strengthening the capital planning and investment controls for IT spending and using enterprise architecture modeling.

CIOs are supposed to use enterprise architecture to inventory all existing IT assets and processes and how they support agency operations. That insight and understanding should allow them to identify and eliminate redundancies and other inefficiencies. It should also help them better plan for and guide new technology investments that more closely align with evolving operational needs and priorities. Agencies must annually submit their enterprise architectures to OMB for review.

Many other compliance responsibilities soon landed on the CIO’s plate. Among them, OMB started requiring agencies in 2001 to submit business cases for proposed IT systems and document that they were following proper project management practices. A year later, the Federal Information Security Management Act required agencies to file quarterly and annual reports showing that they have certified and accredited IT systems, regularly inventory those systems and their security configurations, and trained staff on security issues.

The piling up of reporting requirements began dictating the focus of CIO attention. “Ten years ago, we were a compliance organization,” said Robert Carey, who became the Navy Department's CIO three years ago. But that orientation is not the best fit for today’s environment, in which industry introduces new technologies at a dizzying pace and government risks getting left behind.

“Now we have to be far more agile in our ability to render decisions and policies and guidance so that we can stay current with how the world is evolving,” Carey said.

Agility is his goal, but Carey still owns all the accountability that has accumulated with the CIO. In addition to his CIO hat, which includes managing about 12,000 people in the Navy IT workforce, he also serves as the Navy’s critical infrastructure assurance officer; its senior military component official for privacy, or chief privacy officer; and its senior information assurance officer, a cybersecurity position.

It’s a lot of responsibility but not unmanageable. “Being a CIO is a full contact sport,” Carey said.

Power Check

The compliance duties can reveal another fact of life for many government CIOs: the disconnect between responsibility and authority when CIOs don’t control IT budgets.

Jim Flyzik, who was Treasury Department CIO until 2002 and is now a consultant, remembers his frustration when the FISMA reports he submitted for the department indicated security deficiencies.

“I know the problem, I know how to fix it, I’m responsible to fix it, yet I don’t have the authority to allocate the dollars to the program,” Flyzik recalled. “It’s a tough situation to be in.”

Far too many government CIOs still live with this Catch-22 today, he said.

Authority means more than deciding where to spend money on new programs and technologies. It also means being able to pull the plug on systems and projects that aren’t delivering what’s needed.

Older IT systems and applications often take a disproportionate share of agency IT spending. Coleman said GSA directs more than 80 percent of its IT spending to the operation and maintenance of existing systems, leaving only the remainder to invest in new technologies. She wants to increase spending on new technology to 40 percent.

But shuttering or downsizing government operations can be easier said than done, especially for a CIO who doesn’t have strong say over the IT budget. VA's Baker said that while he was at Commerce, he was more of a recommender. Shutting down programs there involved extensive deliberation and negotiation with many stakeholders.

At VA and armed with ultimate IT budget authority, Baker last year halted 45 IT projects deemed to be underperforming, eventually canceling 12 of them. “I sent out an e-mail, ‘This is what we’re going to do, so we need to make it happen,’” he said.

The other key to his empowerment is his direct relationship with VA Secretary Eric Shinseki. “I see the secretary every morning at 8 a.m.,” Baker said, though pointing out that he works more frequently with the deputy secretary, chief of staff and other assistant secretaries.

Clinger-Cohen called for this kind of relationship, and although agencies have codified it on paper, reality can be another story. “Just because an organizational chart shows a box and line that you’re supposed to be at the table with the secretary doesn’t necessarily mean that people value what you have to say,” Evans said.

CIOs are divided about whether politically appointed CIOs have more clout than career ones. Some argue that political appointees will have an inside track and receive more support from the department and agency leaders, which is invaluable when making difficult changes. Others say that careerists are equally capable of receiving such access and support.

The CIO’s credibility and influence is based as much on his or her skills and ability as whether or not the agency leadership views IT as a strategic tool and investment, Flyzik and others said.

Another factor that affects CIO authority is the degree to which the department or agency is centralized or decentralized. Baker said the decentralized nature of the Commerce Department when he was there allowed Census leaders to exclude the bureau’s CIO from the ill-fated handheld program.

“The internal politics at Census was determined to keep the CIO out of the decennial [census], and even with the [Commerce] CIO putting all of his weight behind getting that program to be part of what reported to the Census CIO, it didn’t happen,” Baker said.

Where It Stands Now

Government CIOs who want to move quickly to take advantage of the latest, greatest new technologies, from social media to mobile wireless and cloud computing, couldn’t have wished for a better supporter in the White House than Vivek Kundra, the federal CIO and Evans' successor as administrator for electronic government and IT at OMB.

Kundra’s accomplishments as chief technology officer for the District of Columbia included the adoption of many of these new technologies. He has continued to push along the same path since joining the federal government, with the agenda expanded to include technologies that can facilitate President Barack Obama’s desires for greater government transparency and accountability.

Navy CIO Carey said he believes that Kundra wants to make the department and major agency CIOs the responsible, accountable and empowered officials that Clinger-Cohen envisioned. OMB officials did not reply to interview requests for this story.

In terms of concrete steps that might let CIOs be more chief innovation than chief compliance officers, OMB revised the capital planning process in June 2009 to lower the reporting burden on agencies, reducing the number of data elements requested from agencies from 58 to 24.

“Rather than annually collecting a massive array of information that might not be used, we shifted to the monthly collection of focused information that informs better decision-making,” Kundra told the Senate Budget Committee Task Force on Government Performance in December.

Meanwhile, GSA CIO Coleman said other compliance requirements, such as FISMA, are becoming less burdensome as agencies become better at collecting the required security information.

Progress in other areas is still a matter of time and continuing effort. For example, Census CIO McGrath is working to institutionalize the use of earned value management for all of the bureau's IT projects. EVM helps managers keep projects on track by providing early warning signs of possible schedule delays and cost overruns.

OMB has required agencies to use EVM for large IT projects since 2005, but for some agencies, it remains yet another half-hearted compliance exercise. A Government Accountability Office review in October found that 13 of 16 major IT projects at eight agencies failed to follow key practices necessary for sound EVM execution, though all the agencies had EVM policies in place.

Ditto for enterprise architecture, which most agencies comply with on paper, but in practice, they have had mixed results. GAO continues to churn out reports that detail the failure of many departments and agencies to complete the most basic of enterprise architecture implementation steps, let alone to achieve a more mature use of enterprise architecture to routinely guide strategic IT investments, achieve standardization and eliminate redundancy.

For example, as of June 2009, the Food and Drug Administration was still building out some basic elements of its enterprise architecture models and lacked sufficient depth in the elements it already had, according to a GAO report. Attempting to define and build major IT systems without first completing an enterprise architecture and more detailed segment architectures for specific systems is risky, GAO said. FDA has more than a dozen IT modernization projects under way.

There will surely be other new requirements pushed onto the CIO’s desk in the future and, as before, not all will be accompanied by funding. They will just become another ball in the air for the juggling act that CIOs have always been asked to perform.
Many CIOs believe the answer to meeting these challenges and delivering innovative and cost-effective IT solutions for government is to continue pushing on the path of standardization and centralization.

“There’s a huge demand on the CIO to rein in and create some more centralized solutions to optimize the spend,” Carey said. “We can’t afford to have 20 different ways to do something.”

Baker said his goal at VA is to lead by example and show the rest of the government that consolidating appropriation and decision-making authority with the CIO is the answer to the problems of decentralized IT.

It remains to be seen if VA’s CIO strongman model becomes the way of the future across government or if it was just the answer to one department’s particular shortcomings.

NEXT STORY: The CIOs' growing workload

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.